Your data and how you use it: the “differentiator” in cybersecurity
March 8, 20192:21 pm
5 min read
This content is provided by Symantec and Carahsoft.
In the summer of 2018, a cyber espionage group known as Thrip infiltrated satellite communications, geospatial imaging and defense organizations in the United States and Southeast Asia. They employed a novel attack strategy that allowed them to slip past most cybersecurity tools and largely escape notice. That is, until Symantec spotted them.
“What the Thrip attackers did was what we call a low-and-slow attack,” said Chris Townsend, Symantec’s vice president of Federal. “Essentially, they were living off the land. So they used tools that would not necessarily raise alarms and be picked up by security systems and over time, slowly infiltrated their targets and put in pieces of malware, and then assembled those under the radar of the security tools. And effectively what happened is they were able to infiltrate large telecommunication, geospatial and defense systems for espionage purposes.”
One of the tricks Thrip employed was using the system’s own operating system features and network administration tools against itself. That allowed them to avoid detection for so long.
“This is likely espionage,” Greg Clark, Symantec CEO, said at the time. “The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won’t notice their presence. They operate very quietly, blending in to networks, and are only discovered using artificial intelligence that can identify and flag their movements. Alarmingly, the group seems keenly interested in telecom, satellite operators, and defense companies.”
So how did Symantec uncover them?
Its artificial intelligence system, Targeted Attack Analytics (TAA), discovered the infiltration. The AI scours Symantec’s data lake, which is a repository for information collected from 200 million endpoints across the cybersecurity company’s 350,000 users worldwide. TAA also monitors the systems themselves for out-of-the-ordinary behavior from users. When it turns up suspicious patterns in the data or behavior, it alerts Symantec’s Attack Investigation team, which then digs deeper to turn up both the attack and the attacker.
The TAA system, part of Symantec’s Advanced Threat Protection product, cuts hours of human analysis out of the process through automation and machine learning. Which is necessary, because Symantec’s data lake is massive, comprising seven petabytes of data, and growing at 15 terabytes a day. It also has more than 80 analytic applications run by 410 developers/researchers on both Amazon Web Services and Microsoft Azure.
“We use artificial intelligence and advanced machine learning to do deep analysis on this data to identify new threats, and then, essentially after we do the analysis, we push that back out to all of our systems,” Townsend said. “So anybody that’s using a Symantec technology, whether it’s an endpoint, or a proxy, or cloud security, is the beneficiary of what we were able to learn. And as our advanced machine learning AI models, if you will, as they become more effective, and more refined, we get better at identifying new threats. And we’re able to, through some of our new tools, like our endpoint detection response tool, are able to identify threats we didn’t identify in the past.”
And that’s what makes Symantec really effective at heading off these kinds of threats.
“Your threat data repositories are only as good as the amount and quality of data that you’re able to collect,” Townsend said. “We often get so wrapped up in a new product or new capability, but we don’t think about the intelligence that underlies the systems and really make them as effective as they are.”
That’s why Symantec puts so much emphasis on its ability to collect data for threat assessment capabilities.
“This has always been a differentiator for Symantec,” Townsend said. “We’ve always had large data sets that we mined and leveraged the telemetry we collect from our endpoints to improve the overall security posture of our customers that are using our technology. So that’s nothing new. What’s new is the advancements in the machine learning models in the AI.”
Symantec employs a number of leading artificial intelligence PhDs, all working to improve this ability to mine its data lake to more effectively identify cyber threats.
It also acquires and merges with other cybersecurity companies regularly, adding their data to its own. In fact, it recently acquired a company called Blue Coat, which Townsend said increased Symantec’s data repository by 20 percent. He said it’s now one of the largest in the world, second only to the Defense Department.
“We’ve been using machine learning and AI for a long time in our systems, to find the data and to identify threats,” Townsend said. “And we’ve continued to refine that over the years. But again, as our models improve, and advancements are made in this space, it makes us that much more effective at identifying these threats.”
Symantec Corporation (NASDAQ: SYMC), the world’s leading cyber security company, helps organizations, governments and people secure their most important data wherever it lives. Organizations across the world look to Symantec for strategic, integrated solutions to defend against sophisticated attacks across endpoints, cloud and infrastructure. Likewise, a global community of more than 50 million people and families rely on Symantec’s Norton suite of products for protection at home and across their devices. Symantec operates one of the world’s largest civilian cyber intelligence networks, allowing it to see and protect against the most advanced threats. For additional information, please visit www.symantec.com or connect with us on Facebook, Twitter, and LinkedIn.